blob: f52a37f32246beaa75ed090514944f33ae5834f2 [file] [log] [blame]
Tatiana Bradleyf1409b02023-05-24 14:02:12 -04001id: GO-2022-0492
Damien Neilb5cb7652022-08-18 15:09:12 -07002modules:
Tatiana Bradley82175fd2023-05-31 17:04:08 -04003 - module: github.com/argoproj/argo-events
4 versions:
5 - fixed: 1.7.1
6 vulnerable_at: 1.7.0
7 packages:
8 - package: github.com/argoproj/argo-events/sensors/artifacts
9 symbols:
10 - NewGitReader
11 derived_symbols:
12 - GetArtifactReader
Tatiana Bradley6a3b20c2023-06-05 13:34:46 -040013summary: Path traversal in github.com/argoproj/argo-events
Tatiana Bradleyccdac2d2023-06-22 13:27:05 -040014description: |-
Damien Neil2b3cd682022-07-11 15:18:32 -070015 GitArtifactReader is vulnerable to directory traversal attacks.
16
Tatiana Bradleyccdac2d2023-06-22 13:27:05 -040017 The GitArtifactReader.Read function reads and returns the contents of a Git
18 repository file. A maliciously crafted repository can exploit this to cause Read
19 to read from arbitrary files on the filesystem.
Damien Neil95a417d2022-08-17 15:39:45 -070020published: 2022-07-15T23:30:03Z
Damien Neil2b3cd682022-07-11 15:18:32 -070021cves:
Tatiana Bradley82175fd2023-05-31 17:04:08 -040022 - CVE-2022-25856
Damien Neil2b3cd682022-07-11 15:18:32 -070023ghsas:
Tatiana Bradley82175fd2023-05-31 17:04:08 -040024 - GHSA-qpgx-64h2-gc3c
Tatiana Bradley09108142023-05-18 16:23:32 -040025credits:
Tatiana Bradley82175fd2023-05-31 17:04:08 -040026 - Derek Wang
Damien Neil00e94d72022-08-26 14:59:35 -070027references:
Tatiana Bradley82175fd2023-05-31 17:04:08 -040028 - fix: https://github.com/argoproj/argo-events/pull/1965
29 - web: https://github.com/argoproj/argo-events/issues/1947
Tatiana Bradley69d9a202024-05-14 15:19:00 -040030review_status: REVIEWED